Use of Shibboleth by ARCS

Transcription

1 Use of Shibboleth by ARCS Neil Witheridge Manager, ARCS Authorisa7on Services Internet2 Members Mee7ng, Fall, October 2009

2 Overview Australian HE Research & ARCS Background ARCS reliance on AAF: Current AAF Status ARCS & Other Research Services Grid, Data, Collabora7on; Research Domain Specific AAF interoperability with the Grid Grid Security Infrastructure, Short Lived Creden7al Service Authen7ca7on and Authorisa7on Scenarios ARCS Authorisa7on Services Strategy Future Plan: PaRerns and Solu7ons HE: Higher Educa7on ARCS: Australian Research Collabora7on Service AAF: Australian Access Federa7on

3 Australian HE Research Infrastructure Investment 1998: Australian Partnership for Advanced Compu7ng APAC responsibility included Australian Grid Services 2001: Systemic Infrastructure Ini7a7ve Focus on Data, Repositories, Access (included MAMS project) 2005: Na7onal Collabora7ve Research Infrastructure Strategy (NCRIS) Delivery of Na7onal, Discipline based capabili7es PlaZorms for Collabora7on (PfC) (includes ARCS, taking over APAC role) 2009: Educa7on Investment Fund Super Science

4 PlaZorms for Collabora7on (PfC) PfC is an NCRIS Capability Whole fabric research collabora7on infrastructure Grid (HPC, Data), Data, Federa7on, Collabora7ve tools, Network ARCS: Australian Research Collabora7on Service Established 2007 ANDS: Australian Na7onal Data Service NCI : Na7onal Computa7onal Infrastructure AAF: Australian Access Federa7on NREN: Na7onal Research & Educa7on Network (AARNet)

5 ARCS Overview ARCS Services Teams Systems Services (Grid Services, Systems deployment) Data Services (ARCS Data Fabric) Collabora7on Services (collabora7ve tools e.g. VideoConf, CMS, SW Dev) Authorisa7on Services (Research group authn & authz requirements analysis, authorisa7on advice & infrastructure, exemplars, solu7ons) ARCS Mission long term eresearch support, services and tools Members of ARCS state based research infrastructure VPAC, Intersect, QCIF, ivec, SAPAC, TPAC, ANU, CSIRO Customers: Research groups and service providers Na7onal, discipline based research groups, including PfC partners (AAF, ANDS, NCI)

6 ARCS Authorisa7on Services Role Support Research Groups and Service Providers in delivering services relying on authen7ca7on and authorisa7on (authnz) Analyse requirements, and provide exper7se, advice, exemplars Exemplars (demonstrate what can be done to protect resources) Implement (procure/develop) and deploy authnz solu7ons sa7sfying research groups and service provider s security requirements Provide customer support for ARCS Authorisa7on Services ARCS CA s, ARCS IdP, ARCS SLCS Server & Clients, ARCS Access Service Develop and pursue a unified strategy for authnz Apply secure technologies and protocols Apply Federated Access (i.e. Shibboleth) to achieve integra7on with the AAF Apply Grid Security Infrastructure Analyse access scenarios and iden7fy parerns & solu7ons

7 Australian Access Federa7on Origins of Aust n HE use of Shibboleth MAMS project delivered an opera7onal Federa7on MAMS Level 2 Testbed Federa7on zero policy federa7on (no policy based Trust) Now, CAUDIT s Pilot AAF Project CAUDIT: Council of Australian University Directors of IT Adop7ng SWITCH Federa7on infrastructure Resource Registry, Discovery Service, uapprove etc. Policy framework established Rules for Par7cipants AusCERT will provide a PKI for Australian HE

8 AAF Schedule Pilot AAF Status Technical Infrastructure & Policy Framework in place Currently Migra7ng IdPs and SPs from MAMS Level 2 Testbed to Pilot AAF Requirement for IdPs and SPs to agree to Rules for Par7cipants Best Endeavours i.e. self asserted compliance (as described in ) AAFInc incorporated as an Associa7on Domain names, Trademarks etc. being procured Tendering process for AAF Operators will commence 4Q09 Produc7on AAF due to be deployed 1H10 Updated Policies, stricter compliance, audi7ng

9 ARribute Usage in the AAF aueduperson schema AAF Mandatory ARributes (as described in Rules for Par7cipants) End user arributes edupersontargetedid, auedupersonsharedtoken o, cn, mail, displayname edupersonaffilia7on, edupersonscopedaffilia7on edupersonen7tlement edupersonassurance Other arributes Authen7ca7onMethod

10 ARCS use of auedupersonsharedtoken User Iden7fier required by ARCS Services (esp. Grid) Non targeted, federa7on unique, persistent iden7fier IdP releases same aepst value to all ARCS services for an end user ARCS Auth Svcs delivers technical components and processes for genera7on and portability of aepst Genera7on Uniqueness relies on sta7s7cal proper7es of hash func7on & unique inputs used to create aepst generated at IdP & stored in directory/database Portability When end user moves to different IdP, takes aepst value Use of signed statement of ownership for por7ng to new IdP Other mechanisms, including IdP IdP protocol, under inves7ga7on

11 ARCS IdP ARCS has established an IdP for users of ARCS services without a Federa7on IdP Registra7on web interface and process ARCS Registra7on Authority Iden7ty proofing involves internal vouching for iden7ty User confirma7on required by Shibboleth IdP Supports AAF mandatory arributes Genera7on & Portability of SharedToken

12 ARCS IdP Workflow 1.1 Web Browser end-user Registration Request 1.2 Confirmation by 2.1 Change password Registration Interface uid + password + attributes Registration Authority (RA) Password Management 1.3 On approval ARCS IdP 2.2 new password ARCS IdP Directory 3.3 * attribute release policy Shibboleth IdP 3.3 authn Discovery Service 3.2 * Web Browser end-user select IdP attribute query/ response 3.1 access Join ARCS IdP Password Management Federated Access to Service * Service Provider attribute acceptance/mapping policy 3.5 Web App access uid + password * Member of AAF

13 ARCS & Related Services (to date) ARCS Services Grid Services (Grid Security Infrastructure, Virtual Organisa7ons) Data Fabric (WebDAV client/server, irods service, Groups ) Collabora7on Services Comms & CMS/framework Tools (Web app s, Community/Groups) CMSs requiring integra7on with the Data Fabric Research Services Web enabled Grid Portals (Web portals requiring delegated authen7ca7on to Grid Services) OPeNDAP Services (Shib enabled server, access via Matlab, incl. scripted) Goal is for all to be accessible via the AAF

14 Grid Services Use of PKI Interna7onal Grid Trust Federa7on (IGTF) APGridPMA, EuGridPMA, TAGPMA (CA accredita7on agencies) Grid Security Infrastructure (implemented by Globus toolkit) IGTF X.509 Cer7ficate profiles: Classic X.509 (i.e. long lived, defined Registra7on process) Short Lived Creden7al Service (SLCS) Member Integrated Creden7al Service (MICS) APAC CA issues classic X.509 Cert s (following Registra7on) CA CP/CPS (Cer7ficate Policy / Cer7fica7on Prac7ces Statement) Specify iden7ty management requirements, format for dis7nguished names (DNs), private key management policy SLCS & MICS Cer7ficates (generate certs from Shib creden7als)

15 Research Services Access PaRerns PaRerns encountered so far: Federated access to Grid Services Federated access to Web applica7ons Federated access integra7on with non web applica7ons Access via standalone (e.g. Java) Applica7ons Access via Opera7ng System Components Federated Access involving Delegated Authen7ca7on Integra7ng Federated Authen7ca7on & batch mode (i.e. scripted) access

16 Marriage of Shibboleth and GSI Use of AAF Access, SLCS and Proxy Cer7ficates Grid interoperability using SLCS SLCS and Proxy cer7ficates deliver key authen7ca7on capabili7es SSO for non web services (SLCS and Proxy cert s) Delegated authen7ca7on using Proxy Cer7ficates Issues remain SLCS cer7ficate is cached authen7ca7on event SLCS cer7ficates without passwd protec7on

17 Grid Security Infrastructure Issuance of trusted X.509 Cer7ficate Signed by trusted root CA e.g. APAC CA, IGTF accredited IGTF policy requires password protec7on of private key for long lived cer7ficates Use of Proxy Cer7ficates Grid has pioneered use of proxy cer7ficates Cer7ficate signed by private key of end en7ty cer7ficate to be proxied Provides for Single Sign On Short lived cer7ficate, hence no need to password protect private key Delegated Authen7ca7on Proxy cer7ficate issued to service for delegated authen7ca7on

18 Classic Grid Cer7ficates PrivGS PubGS X.509 CA Certificate PubGS DNGS: host Grid Service (GSI-enabled) 2.1 Access Grid Service Trusted CA certs Trusted CA Bundle Mutual Authentication IGTF International Grid Trust Federation Trust PrivCA PubCA X.509 CA Certificate PubCA DNCA: Root CA Grid CA 1.3 Certificate Signing Request Grid Client (GSI-enabled) Note: password protection of private key end-user PrivEE PubEE 1.1 Request Grid Certificate Registration Process 1.2 Approval Certificate Issuance X.509 CA Certificate PubEE DNEE: end-entity 1.4 Grid Certificate classic X.509 Lifetime ~ 1 year Registration Authority Operator (RAO) Grid-User Registration Authority

19 Proxy Cer7ficates Storing a creden7al Provides for SSO and Delega7on PrivMP PubMP end-user Grid Client (GSI-enabled) 1.1 Request Put Proxy (with Grid Cert and authn credentials for retrieval) X.509 CA Certificate PubMP DNMP: host MyProxy Server PrivEE X.509 CA Certificate PubEE DNEE: end-entity PubEE 1.4 X.509 EE Certificate PubEE DNEE P : P end-entity Sign Proxy Certificate PubEE P 1.5 Upload Certificate Chain 1.3 Certificate Signing Request 1.2 Create Keypair PrivEE P PubEE P X.509 CA X.509 EE Certificate Certificate PubEE PubEE DNEE: DNEE P : P end-entity end-entity Trusted Grid CA

20 Proxy Cer7ficates retrieving a proxy for SSO 2.1 Access Grid Service Grid Client (GSI-enabled) Mutual Authentication, Client authn with Proxy PrivMP PubMP X.509 CA Certificate PubMP DNMP: host end-user PrivEE PubEE 1.1 Request Get Proxy (with MyProxy authentication credentials) MyProxy Server Note: No password protection of private key X.509 CA Certificate PubEE DNEE: end-entity PrivEE PP PubEE PP X.509 EE P Certificate PubEE DNEE PP : PP end-entity-pp X.509 EE Certificate PubEE DNEE P : P end-entity 1.2 Create Keypair PubEE PP Retrieve Proxy Certificate Chain Certificate Signing Request PrivEE P PubEE P X.509 CA X.509 EE Certificate Certificate PubEE PubEE DNEE: DNEE P : P end-entity end-entity X.509 EE P Certificate PubEE 1.4 Sign Proxy DNEE PP : PP end-entity-pp

21 Proxy Cer7ficates retrieving a proxy for Delega7on 2.1 Access Grid Service on behalf of end-user Mutual Authentication, Delegatee Service authn with Proxy Delegation Service (GSI-enabled) 1.1 Request Get Proxy (with MyProxy authentication credentials) Authorises Service to download proxy (provides credentials to authenticate to MyProxy to download proxy) PrivEE PP X.509 CA Certificate PubEE DNEE: end-entity PubEE PP 1.2 Create Keypair X.509 EE Certificate PubEE DNEE P : P end-entity 1.3 Certificate Signing Request PubEE PP X.509 EE P Certificate PubEE DNEE PP : PP end-entity-pp 1.5 Download Proxy Certificate Chain

22 Grid Authen7ca7on and Authorisa7on Cer7ficate DN is mapped to local account on cluster Use of AuthTool and GUMS (Grid User Management System) Several different architectures for authen7ca7on, but each convert to local account name under *nix. Authorisa7on and Virtual Organisa7ons Virtual Organisa7on Management System (VOMS) VOMRS extended u7lity by allowing delegated admin and mul7ple VO membership Extension of use of Proxy Cer7ficates (VOMS Cer7ficates) VO membership and role stored in non cri7cal extension of cer7ficate VO membership and role mapped to local user/group account

23 voms-proxy-info -all VOMS Proxy Example ARCS uses VOMRS for Virtual Organisa7on Administra7on subject : /C=AU/O=APACGrid/OU=VPAC/CN=Graham Jenkins/CN=proxy/CN=proxy/CN=proxy/CN=proxy issuer : /C=AU/O=APACGrid/OU=VPAC/CN=Graham Jenkins/CN=proxy/CN=proxy/CN=proxy identity : /C=AU/O=APACGrid/OU=VPAC/CN=Graham Jenkins/CN=proxy/CN=proxy/CN=proxy type : proxy strength : 1024 bits path : /tmp/x509up_u1000 timeleft : 11:59:53 === VO ARCS extension information === VO : ARCS subject : /C=AU/O=APACGrid/OU=VPAC/CN=Graham Jenkins issuer : /C=AU/O=APACGrid/OU=ARCS/CN=vomrs.arcs.org.au attribute : /ARCS/StartUp/Role=NULL/Capability=NULL attribute : /ARCS/Role=NULL/Capability=NULL attribute : /ARCS/NGAdmin/Role=NULL/Capability=NULL attribute : /ARCS/VPAC/Role=NULL/Capability=NULL attribute : /ARCS/NRI/Role=NULL/Capability=NULL attribute : /ARCS/Cloud/Role=NULL/Capability=NULL timeleft : 23:55:09 uri : vomrs.arcs.org.au:15001

24 ARCS Short Lived Creden7al Service ARCS Grid/AAF Integra7on: SLCS Service (Shib SP) IGTF Authen7ca7on Profile SLCS X.509 Profile Genera7on of Grid trusted X.509 cer7ficates based on end user arributes obtained via AAF authen7ca7on Access control based on IdP agreement to Usage Policy SLCS Client implementa7on ARCS Auth Svcs has implemented SLCS client java libraries Grid desktop clients, Grix and Grisu, include SLCS client in order for users to authen7cate via AAF Users need know nothing about key pairs, cer7ficates

25 SLCS Cer7ficate Format Plan for Level 1 and Level 2 CA s (Level 2 accredited by IGTF) SLCS Level 1 cer7ficate trusted within Australian Grid Services Level 1 cer7ficate issued if edupersonassurance value is not provided or equal to value for Iden7ty LoA = 1 Subject dis7nguished name (DN) DC components corresponding to SCLS CA (only Level 1 currently) i.e. DC=au,DC=org,DC=arcs,DC=slcs O component consis7ng of o arribute value e.g. O=ARCS IdP CN component consis7ng of cn arribute value and auedupersonsharedtoken arribute value e.g. CN=John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk Example DN value DC=au,DC=org,DC=arcs,DC=slcs, O=ARCS IdP, CN=John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk altsubjectname mail arribute value (valid address for user)

26 SLCS Client Implementa7on SLCS Client needs to generate key pair in secure file system loca7on Current java library implementa7on, and command line implementa7on using java library Client relies on Built in hrp client to interact with DS, IdP Screen scraping of IdP authen7ca7on interface Users entering IdP creden7als into non browser interface ARCS Grid clients: Grix and Grisu

27 SLCS Grid Cer7ficates Workflow Discover Service Identity Provider end-user 1.1 Enter IdP username & password Java application e.g. SLCS Command-line client PrivEE PubEE X.509 SLCS Certificate CA PubEE DNEE: end-entity SLCS Client Java library http client Shib SP Attributes used: auedupersonsharedtoken CN mail edupersonassurance SLCS Server VOMRS Startup VO SLCS Level-1 CA SLCS Level-2 CA ARCS Security Infrastructure

28 ARCS Data Fabric Effec7ve Data Management and Storage Cri7cal capability for Researchers, PfC focus Data Storage Solu7on: ARCS Data Fabric Distributed storage aggregated using irods (Integrated Rule Oriented Data System) Interfaces to irods CLI (icommands), GUI (irods Explorer), Web (irods Web Browser) Username/password or GSI authn DAVIS WebDAV and HTTP access

29 Data Fabric Workflow (access via DAVIS) Enter: IdP, username & password (a) 1.2 DS 1.3 IdP 1.5 ARCS Security Infrastructure end-user ARCS IdP/neil.witheridge *************** WebDAV client E.g. Windows Explorer (a) Considering using an ARCS Username and Password generated by ARCS Access Service for use in accessing ARCS Data Fabric 1.1 DAVIS PrivEE WebDAV Server SLCS Client PubEE X.509 SLCS Certificate CA PubEE DNEE: end-entity PubEE CSR SSL Mutual Authentication 1.8 SP 1.6 irods SLCS Server X.509 SLCS Certificate CA PubEE DNEE: end-entity SLCS CA Data Sources Data Fabric Infrastructure

30 ARCS Collabora7on Tools Content Management Systems & Frameworks Plone, Twiki, Confluence, Sakai, Drupal Integra7on with AAF and Data Fabric (links to DF resources) Communica7ons Tools EVO, Access Grid, Jabber What are the authen7ca7on and authorisa7on requirements Cost/benefit of integra7on with AAF authen7ca7on How much work, internal refactoring, to integrate Collabora7ve Sotware Development Tools Trac, SVN, Git, Hudson Web interfaces protected by Shibboleth. CLI s?

31 Plone Integra7on with AAF + Data Fabric AAF Integra7on Plone (Shibboleth enabled authen7ca7on) ARribute requirements for Plone SharedToken, mail, cn, displayname (genera7on of WikiName) Data Fabric Integra7on (requires GSI and Shibboleth) Requirement: Search for DF resource to link to Access irods via GSI to view and select DF resource Obtain user s SLCS cer7ficate, authen7cate with irods irods delivers list of resources accessibly by user Requirement: Access DF resource via link Link to protected resource, maybe user can t access Access via Davis, using Shibboleth SSO If authorised to access, Davis provides download dialog

32 Web Portal Access To Grid Resources Development by auscope of an AAF enabled Web Portal which requires delegated authen7ca7on to access Grid Service How can a portal obtain the user s SLCS cer7ficate proxy without user crea7on of SLCS? It can t. How about the portal genera7ng the user s SLCS cer7ficate? IGTF SLCS Profile specifica7on (Private Key Management) The SLCS authority shall issue X.509 short lived cer7ficates to end en77es based on cryptographic data generated by the applicant, or based on cryptographic data that can be held only by the applicant (e.g. on a secure hardware token; generated from a transient yet unique session handle retrieved from the applicant s encrypted session). (RFC3647: 6.1)

33 Approaches Considered & Prototyped SLCS Delega7on Service Portal generates the user creden7als i.e. keypair & requests and is issued a cer7ficate under the users DN Portal generates and manages the user s creden7als SLCS Proxy Service ARCS SLCS Proxy Service generates the user creden7als & requests a SLCS cer7ficate under the user s DN, & uploads the SLCS cer7ficate to MyProxy allowing the portal to retrieve a proxy cert signed by the user s SLCS cert. ARCS Service generates and manages the user s creden7als Portal obtains a proxy cer7ficate

34 SLCS Delega7on ARCS Security Infrastructure Shib IdP 4 attributes Shib SP SLCS Delegation Service 7 CSR SLCS CA 3 authenticate 2 Redirect to SLCS Delegation Service 6 SLCS Certificate Signing Request end-user EU Client webbrowser 1 10 http POST EU Access Response 5 8 SLCS certificate Authorisation token EU key-pair & SLCS cert Web Portal Service Grid & Delegation Service Client GSI 9 Access GSI Service with Delegated Authentication GSI Grid Service

35 SLCS Proxy ARCS Security Infrastructure Shib IdP 4 attributes Upload SLCS cert & enable Proxy Retrieval Shib SP SLCS Proxy Service EU key-pair & SLCS cert 6 5 CSR MyProxy SLCS CA 8 Proxy Certificate Request 3 authenticate end-user webbrowser 2 Redirect To SLCS Proxy Service MyProxy 7 Authentication cred s http POST 1 EU Access 11 Response Proxy key-pair & cert chain Web Portal Service GSI 9 Proxy certificate 10 Access GSI Service with Proxy cert. GSI Grid Service

36 Web Portal Delegated Access Becoming a common requirement Proposed change to IGTF Guidelines Genera7on and Storage of Private Keys on an appropriate computer system that is administered by a third party To be discussed at OGF27 next week. S7ll stringent requirements on 3rd Party handling of user s private keys If passed, SLCS Delega7on OK if Portal conforms to guidelines, and SLCS Proxy OK as ARCS will conform.

37 Access to OPeNDAP resources OPeNDAP server (Shibboleth enabled) Access to GeoSpa7al Data (Integrated Marine Observing System IMOS) Access typically via non web client tools such as Matlab Matlab uses OPeNDAP client library (Java, Python) Integra7ng AAF Authen7ca7on & Matlab access Considered Shibboleth Proxy Requires storing user s IdP cred s in a config file. Batch mode access to OPeNDAP resources Scripted invoca7on of Matlab with no end user interac7on Solu7on: use of SSL AuthN (user s SLCS Cer7ficate)

38 Matlab batch Mode Access To OPeNDAP resources (Use of SLCS Certificate for SSL Authentication) Gezng SLCS Cer7ficate 1.2 DS IdP 1.3 IdP username & password ARCS Security Infrastructure SP 1.5 SLCS Server 1.5 SLCS CA end-user PrivEE SLCS Client X.509 SLCS Certificate CA PubEE DNEE: end-entity PubEE 1.6 Matlab Client https client Using SLCS Cer7ficate SSL Mutual Authentication 2.1 Apache 2.2 auedupersonsharedtoken Service

39 Recap: Authen7ca7on Scenarios Examined Browser to web applica7ons (not many yet, Grid focus) SLCS Access to Grid Services (Cer7ficate life 7me issues, s7ll need to support access via classic cer7ficates) SLCS Client workflow (entering IdP creden7als into non browser UI s) Data Fabric access (passing IdP cred s to DAVIS via WebDAV) Web portals access to Grid Services (Delega7on issue) CMS (e.g. Plone)/AAF/Data Fabric Integra7on Non Web Client access to OPeNDAP services (Matlab ) Batch mode access to OPeNDAP services These address Authen7ca7on, not Authen7ca7on

40 ARCS Authorisa7on Scenarios How is authorisa7on currently performed for ARCS Services? Virtual Organisa7on Management for Grid VOMRS Data Fabric: Groups in irods Collabora7on Services: Groups in CMS s Recogni7on of need for Services to control access and authorisa7on rights Informa7on from IdPs not useful in general for authz

41 ARCS Access Service ARCS Access Service for ARCS Services Registra7on (assignment of Default Authorisa7on Rights) Tracking user communi7es (auedupersonsharedtoken) Allocate ARCS Username (ARCS Services unique name) consistent user naming across ARCS Services Caching arributes at 7me of registra7on Detec7ng arribute change (e.g. IdP, affilia7on) Authorisa7on Rights Management For non default Authorisa7on Rights Authorisa7on Rights tokens urn:<serviceidentifier>:<token value>

42 Shib-enabled Services SP Shib AuthN 2a end-user ARCS Access Service Query (SP, aepst, atts) 1 Shib AuthN Response (authz rights, ARCS username, Δatts) SP ARCS Access Service Shib attributes Registration Specify Services 2b Default Authorisation Rights non- Shib-enabled Services ARCS username & pwd AuthN ARCS Username ARCS LDAP AuthZ rights Shibboleth attributes ARCS username & pwd Authorisation Rights Management Attribute Change Detection IdP ARCS Registrar 1a Registration approval for chosen SPs Registration Process

43 ARCS Authorisa7on Services Strategy Avoid devia7ng from proven protocols Security analysis difficult, costly (so minimise) Analyse research services access and chains of authnz informa7on flow Iden7fy parerns and formulate solu7ons Adopt proven (security analysed) mechanisms Shibboleth GSI (X.509 cer7ficates, Proxy Cer7ficates) Classic, SLCS & MICS cer7ficates (IGTF profiles) Differen7ate Authen7ca7on and Authorisa7on parerns

44 ARCS Authorisa7on Services Strategy (cont d) Iden7fy secure enough (e.g. take lead from Grid) Hide PKI from end users Take heed of HE iden7ty management policies Don t require entry of creden7als into untrusted interfaces of storage in file system Prohibit shared iden77es (e.g. shared test account) Keep usage logs, allow self audi7ng Provide produc7on quality components to implement usable & reliable solu7ons. Track interna7onal trends and adopt & adapt

45 Abstrac7on and Classifica7on ARCS Authorisa7on Services is seeking to abstract Authen7ca7on and Authorisa7on workflows in HE research domain Iden7fy & document parerns & implement solu7ons Deliver (or recommend 3 rd party) produc7on quality libraries & tools for research service developers Acquire or construct required Middleware Shibboleth, GSI (or plain old SSL) enablement Apply incremental and itera7ve analysis and development to parerns & solu7ons Keep track of and in sync with global trends

46 Audi7ng and Auditability Importance of detec7ng intrusion & compromise Emphasize logging and audi7ng from ground up Allow self audits reports to users on ac7vi7es? Signed & encrypted for security Automated Detec7on Repor7ng unexpected ac7vity Respond to compromise alerts, iden7fy responsibility for forensics Open Ques7ons Would self audi7ng actually work in research community? U7mately, automated audi7ng is an important goal.

47 ARCS Auth Svcs Future Direc7ons Authen7ca7on Understand Shibboleth Roadmap and implica7ons New Shibboleth profiles (ECP, key holder) Understand Grid Roadmap and implica7ons Changes to Grid (OGSA i.e. Web Services, SOA) Use MICS (Long lived creden7als from Shib) & SLCS Authorisa7on Develop and u7lise the ARCS Access Service Inves7gate CoManage for Authorisa7on Rights Mgnt Inves7gate and deliver exemplars of use of XACML

48 ARCS Auth Svcs Future Direc7ons Tracking interna7onal trends in authn/z technology interoperability Authentication: t Shibboleth SAML furure profiles Shibboleth SAML current profiles Grid GSI SSL X.509 & Proxy Certs OGSA SOA WS ws-security Current focus in ARCS Authorisation: Authorisation Rights Mgnt: Authorisation processing: XACML? ARCS Access Service CoManage, Grouper, PerMIT?

49 End of Presenta7on Ques7ons? Thankyou